A Designer - PowerPoint PPT Presentation

About This Presentation
Title:

A Designer

Description:

Title: A Designer s Guide to KEMs Author: Alexander W. Dent Last modified by: Alex Dent Created Date: 12/10/2003 2:54:15 PM Document presentation format – PowerPoint PPT presentation

Number of Views:87
Avg rating:3.0/5.0
Slides: 28
Provided by: Alexa238
Category:
Tags: designer | oracle

less

Transcript and Presenter's Notes

Title: A Designer


1
A Designers Guide to KEMs
  • Alex Dent
  • alex_at_fermat.ma.rhul.ac.uk
  • http//www.isg.rhul.ac.uk/alex

2
Asymmetric Ciphers
  • Involve two keys a public key and a private key.
  • Alice wants to send a message to Bob.
  • Alice encrypts the message using Bobs public
    key.
  • Bob decrypts the message using his private key.

3
Asymmetric Ciphers
  • Tremendously convenient
  • (if we ignore the need for a PKI).
  • Slow for both encryption and decryption.
  • Usually only work with short messages.

4
Hybrid Ciphers
  • An asymmetric cipher that combines both
    asymmetric and symmetric cryptographic
    techniques.
  • - ISO/IEC 18033-2

5
Hybrid Ciphers
  1. Randomly generate a symmetric key.
  2. Encrypt the message using that symmetric key and
    some symmetric technique.
  3. Encrypt the symmetric key using an asymmetric
    technique.
  4. Send both parts to Bob.

6
Hybrid Ciphers
  • Decrypt the asymmetric ciphertext to recover the
    random symmetric key.
  • Decrypt the symmetric part using the newly
    decrypted random symmetric key.
  • Hybrid ciphers can cope with long messages and
    are not much slower then traditional asymmetric
    ciphers.

7
Hybrid Ciphers
  • Techniques has been used for years
  • (Used in PGP, SSL/TLS, IPSec.)
  • Can be done badly (see Why textbook ElGamal and
    RSA encryption are insecure by Boneh, Joux and
    Nguyen.)
  • Formalised as a KEM-DEM system by Shoup.

8
(No Transcript)
9
KEMs and DEMs
  • Formalise hybrid ciphers by splitting it into two
    parts
  • Asymmetric key encapsulation mechanism (KEM)
  • Symmetric data encapsulation mechanism (DEM)

10
KEMs and DEMs
  • KEM takes as input a public key and produces a
    random symmetric key of a pre-specified length
    and an encryption of that key.
  • DEM takes as input a symmetric key and a message
    and outputs an encryption of that message.
  • Both have specific security requirements.

11
KEMs and DEMs
pk
C1
KEM
K
m
C2
DEM
12
KEMs and DEMs
sk
KEM
C1
K
m
C2
DEM
13
The Security Criterion for KEMs
  • Indistinguishable from random (IND) in the
    adaptive chosen ciphertext model (CCA2).
  • A KEM is secure if, given a symmetric key K and a
    ciphertext C produced by the KEM, no attacker can
    tell if C decrypts to gave K or whether K was
    chosen at random.
  • (The attacker also gets to make queries to a KEM
    decryption oracle in the usual way).

14
Designing KEMs
Can we build secure KEMs from secure encryption
algorithms?
  • By secure here we mean secure in a very weak
    sense.
  • We only assume that the encryption algorithm is
    secure in the OW-CPA model.

15
Designing KEMs
  • Secure in the OW-CPA model means it is hard to
    invert a random ciphertext given only the public
    key.
  • Two known constructions RSA-KEM and PSEC-KEM.
  • Both have security proofs based on the underlying
    encryption mechanism.

16
Known Constructions I
  1. Generate a random plaintext.
  2. Encrypt the plaintext to give a ciphertext.
  3. Hash the plaintext and ciphertext to give a
    symmetric key.

RNG
r
ENCRYPT
C
HASH
K
17
Known Constructions I
  • Provably secure (in the random oracle model)
  • However proof needs two extra assumptions
  • The encryption algorithm must remain secure even
    if the attacker is given the ability to tell the
    difference between valid and invalid ciphertexts.
  • We must be able to tell if a plaintext/ciphertext
    pair is valid or not for the encryption
    algorithm.
  • Both of these conditions are fulfilled by RSA.

18
Known Constructions II
RNG
HASH
SPLIT
SMOOTH
ENCRYPT
C1
HASH
XOR
C2
K
19
New Constructions I
RNG
  1. Generate a random plaintext.
  2. Encrypt the plaintext to give a ciphertext.
  3. Hash the plaintext to get a checksum.
  4. Hash the plaintext to give a symmetric key.

r
ENCRYPT
C1
HASH
C2
HASH
K
20
New Constructions I
  • Provably secure (in the RO model).
  • Still need to have one extra assumption
  • We must be able to tell if a plaintext/ciphertext
    pair is valid or not for the encryption
    algorithm.
  • This condition is always satisfied if the
    encryption algorithm is deterministic.

21
New Constructions II
RNG
  1. Generate a random plaintext.
  2. Hash the plaintext to get a string of random
    looking bits.
  3. Encrypt the plaintext using the hash code as the
    random coins.
  4. Hash that ciphertext to give a symmetric key.

r
HASH
ENCRYPT
C
HASH
K
22
New Constructions II
  • Provably Secure (in the RO model).
  • No need for extra assumptions but does need a
    formal definition of probabilistic encryption
    algorithm.
  • Surprisingly, it doesnt work for deterministic
    algorithms (it becomes the first known
    construction).

23
Rabin-KEM
  • As a practical example we will describe a new KEM
    that is provably as secure as factoring.
  • There are already several hybrid schemes based on
    the difficulty of factoring (e.g. EPOC-2) but no
    KEMs.
  • Uses New Construction I.

24
Encryption
  • Let npq be an RSA modulus.
  • Choose r in the range 1, , n.
  • Let C1Hash(r).
  • Let C2r2 mod n.
  • Let KHash(r).
  • Output K and (C1,C2).

25
Decryption
  • Let the secret key be some method of determining
    square roots modulo n.
  • Compute the four square roots of C2 r1, r2, r3,
    and r4.
  • If there exists exactly one ri such that
    Hash(ri)C1 then output Hash(ri).
  • Otherwise output error.

26
Rabin-KEM
  • Provably as secure as factoring (in the random
    oracle model).
  • Checksum helps identify correct root.
  • Small chance that valid ciphertexts may be
    rejected.

27
Conclusions
  • KEM-DEM constructions promising, practical area
    of research.
  • More efficient constructions (especially in terms
    of ciphertext length)?
  • Specialist constructions?
Write a Comment
User Comments (0)
About PowerShow.com